preparing symmetric crypto for the quantum world
play

Preparing Symmetric Crypto for the Quantum World Mar a - PowerPoint PPT Presentation

May 30, 2023 •156 likes •882 views

Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC project QUASYModo FSE 2019 Paris - March 26 2019 Preliminaries... No quantum knowledge needed for following this talk Outline Introduction

  1. Preparing Symmetric Crypto for the Quantum World Mar´ ıa Naya-Plasencia Inria, France ERC project QUASYModo FSE 2019 Paris - March 26 2019

  2. Preliminaries... No quantum knowledge needed for following this talk

  3. Outline Introduction ◮ Motivation, scenarios and evolution Useful quantum tools ◮ Presentation of some results ◮ Building new useful quantum tool: • collision and k-xor algorithms Some quantum attacks (Simon +) • Final conclusion and Open problems ◮

  4. Motivation

  5. Cryptanalysis: Foundation of Confidence Ideal security defined by generic attacks ( 2 | K | ). ◮ Does real security meet this ideal security? Need of continuous security evaluation. Any attack better than the generic one is considered a “break”. We are often left with an empirical measure ◮ of the security: cryptanalysis. 1/57

  6. Very Important Notion: Security Margin If no attack is found on a given cipher, what can we say about its robustness? The security of a cipher is not a 1-bit information: Round-reduced attacks. • Analysis of components. • ⇒ determine and adapt the security margin. 2/57

  7. Very Important Notion: Security Margin Best attacks determine the security margin ◮ ⇒ Possibly with high complexities: find the highest number of rounds reached. Allows to compare primitives. ◮ The estimates of security margin need to be ◮ precise and correct in order to be meaningful. 3/57

  8. Post-Quantum Cryptography Asymmetric (e.g. RSA): Shor’s algorithm: Factorization in polynomial time ⇒ current systems not secure! Solutions: lattice-based, code-based cryptography... Symmetric (e.g. AES): Grover’s algorithm: Exhaustive search 2 | K | → 2 | K | / 2 Double key length for equivalent ideal security. Much to learn about cryptanalysis when having quantum computing available. 4/57

  9. Post-Quantum Cryptography Problem for present existing long-term secrets. ⇒ start using quantum-safe primitives NOW. Important tasks: Conceive the cryptanalysis algorithms for ◮ evaluating the security of symmetric primitives in the P-Q world. Use them to evaluate and design symmetric ◮ primitives for the P-Q world. 5/57

  10. On Quantum Attacks Compare to best generic attack, ◮ generic attack is accelerated, so ◮ broken classical primitive might be unbroken ◮ in a quantum setting: e.g. a primitive might not have 256-bits security against a classical adversary but might have 128- bit security against a quantum one. 6/57

  11. Scenarios and Models

  12. Considered Scenarios Model Q 0 ◮ classical attacks with classical computers. Model Q 1 ◮ Q 0 + access to a quantum computer. Model Q 2 ◮ Q 1 + superposition queries to a quantum cryptographic oracle (QCO). Model Q 3 ◮ Q 1 + superposition queries with the differences of a secret key in a QCO. 7/57

  13. Model Q 0 Nothing new here. 8/57

  14. Model Q 1 So far, the best we have obtained is a ◮ quadratic speed-up, but it can be smaller: If a primitive is safe in Q 0 , • it will also be in Q 1 . Does this mean that (so far) the Q 1 ◮ scenario/results are not interesting? No! safe = no attack better than generic attack 9/57

  15. Model Q 1 In a post-quantum future: Classical or quantum surnames will disappear: ◮ Expected security given by their best generic attack ( e.g. Grover). And security margin? → determined by the highest number of rounds cryptanalyzed with any attack more performant than generic. Q 1 results: important information needed for ◮ determining the unique and future security margin. 10/57

  16. Model Q 2 Very powerful, BUT... Many good reasons to study security in this scenario: Simple: used in security proofs. ◮ Non-trivial: Many constructions still seem ◮ resistant. Inclusive of all intermediate scenarios: ◮ protocols, obfuscation, hybrid machines, incompetent users... 11/57

  17. Model Q 2 Defined and used in many results: [Zhandry12], [Boneh-Zhandry13], [Damg˚ ard- Funder-Nielsen-Salvail13], [Mossayebi-Schack16], [Song-Yun17], Simon’s attacks, FX, AEZ... An attack in this model ⇒ we need to be extra careful when implementing the primitive in a quantum computer. 12/57

  18. Model Q 3 Super strong model: Everything is broken [Roetteler-Steinwandt 15] Too strong model! 13/57

  19. Another scenario classification Scenario A) With big quantum memory or Scenario B) quantum memory limited to poly ( n ) The first one: interesting from a theoretical point of view and for considering trade-offs, The second one: more ”realistic” scenario. 14/57

  20. Evolution

  21. First Results Quantum Symmetric Cryptanalysis: ◮ Quantum analysis of CubeHash [Leurent 10] ◮ Simon on 3-round Feistel [Kuwakado Morii 10] ◮ Simon on Even-Mansour [Kuwakado Morii 12] ◮ Quantum MITM iterated ciphers [Kaplan14] ◮ Quantum Related-Key [Roetteler-Steinwandt15] 15/57

  22. Quantum Symmetric Cryptanalysis In 2015/2016: ◮ [Kaplan-Leurent-Leverrier-NP16] Simon on modes/slide attacks. [Kaplan-Leurent-Leverrier-NP16b] Diff/linear. Many new results since: FX [Leander-May17], parallel multi- preim. [Banegas-Bernstein17], Multicollision [Hosoyamada-Sasaki- Xagawa17], Mitm Q1 [Hosoyamada Sasaki 18], DS Mitm Feistel [Hosoyamada Sasaki 18], Miss-in-the-middle [Xie, Yang 18], Feistel key-recovery [Dong, Wang 18], CCA on Feistel [Ito et al 19]... 16/57

  23. Recent activity from QUASYModo ◮ Efficient Collisions [Chailloux NP Schrottenloher Asiacrypt17], ◮ Quantum cryptanalysis of AEZ [Bonnetain SAC17] ◮ On modular additions [Bonnetain NP Asiacrypt 2018] ◮ k-xor problem [Grassi NP Schrottenloher Asiacrypt2018] ◮ AES quantum evaluation [Bonnetain NP Schrottenloher 18] ◮ On quantum slide attacks [Bonnetain NP Schrottenloher 18] ◮ Quantum security analysis of CSIDH[Bonnetain Schrottenloher18] ◮ Optimal merging the k-xor problem [NP Schrottenloher 19] ◮ Improved low-qubit hidden shift algorithms [Bonnetain 19] 17/57

  24. Some Useful Quantum Tools

  25. Some Quantum Tools... ...that have been useful so far. Amplitude Amplification (AA) /Grover ◮ Quantum Counting ◮ Quantum Collisions ◮ Simon ◮ Kuperberg ◮ 18/57

  26. Amplitude Amplification (Grover’s generalization) Exhaustive search : Given f : { 0 , 1 } n → { 0 , 1 } , find one element x ∈ { 0 , 1 } n such that f ( x ) = 1 . 2 n Classical complexity: Ω( | supp ( f ) | ) . ◮ Quantum complexity [Brassard-Hoyer 97]: ◮ � 2 n Ω( | supp ( f ) | ) . �� � 2 n In detail, we will see later: O | supp ( f ) | ( s T + f T ) . 19/57

  27. Quantum Counting Algorithm Distinguish a biased distribution : Given a Bernouilli distribution, determine with high probability whether it has a parameter 1 / 2 or 1 / 2 + ε . � 1 � Classical complexity: O . ◮ ε 2 Quantum complexity: ◮ � 1 � [Brassard-Hoyer-Tapp 98] O . ε 20/57

  28. Quantum Collision Algorithms Collision problem : Given a random function H : { 0 , 1 } n → { 0 , 1 } n , find x, y ∈ { 0 , 1 } n with x � = y such that H ( x ) = H ( y ) . Classical complexity: Ω(2 n/ 2 ) . ◮ Quantum complexity: ◮ � 2 n/ 3 � [Brassard-Hoyer-Tapp 97] O in queries, in time and in quantum memory → scenario A. (Scenario B later) 21/57

  29. Simon’s algorithm Simon’s problem : Given f : { 0 , 1 } n →{ 0 , 1 } n such that ∃ s | f ( x ) = f ( y ) ⇐ ⇒ [ x = y or x ⊕ y = s ] , find s . Classical complexity: Ω(2 n/ 2 ) . ◮ Quantum complexity [Simon 94]: � O ( n ) . ◮ 22/57

  30. Kuperberg’s algorithm Hidden Shift Problem with modular addition : Let f , g be two injective functions, ( G , +) a group. Given the promise that there exists s ∈ G such that, for all x , f ( x ) = g ( x + s ) , retrieve s . Classical complexity: Ω(2 n/ 2 ) . ◮ Quantum complexity: ◮ O ( √ n ) . [Kuperberg 05] 2 � 23/57

  31. Some new Results New useful Quantum Tools

  32. Some New Useful Quantum Tools New Quantum Collision Algorithm ◮ Quantum K-xor Algorithms ◮ Multicollisions ◮ Grover-meets-Simon ◮ Simon-meets-Kuperberg ◮ Framework for quantizing classical attacks ◮ Quantumly efficient DDT equivalent ◮ Miss-in-the-middle search ◮ 24/57

  33. Collision Search with A. Chailloux, A. Schrottenloher

  34. Collision Search Problem H : { 0 , 1 } n Given a random function → { 0 , 1 } n , find x, y ∈ { 0 , 1 } n with x � = y such that H ( x ) = H ( y ) . Many applications: e.g. generic attacks on hash functions. (Multi-target preimage search can be seen as a particular case). 25/57

  35. Best known algorithms Time Queries Qubits Classical Memory 2 n/ 2 2 n/ 2 Pollard 0 O ( n ) 2 n/ 2 2 n/ 2 Grover O ( n ) 0 2 2 n/ 3 * 2 n/ 3 2 n/ 3 BHT O ( n ) * 2 n/ 3 2 n/ 3 2 n/ 3 Ambainis 0 26/57

  36. Considered Model The same one as in the previous collision ◮ quantum algorithms BUT we limit the amout of quantum memory available to a small amount O ( n ) : scenario B instead of A. Available small quantum computers seem ◮ like the most plausible scenario. We are interested in the theoretical algorithm ◮ and we did not take into account yet implementation aspects. 27/57

  37. Starting Point: BHT Algorithm Optimal number of queries, ◮ O ( n ) qubits (scenario B), ◮ But time? ◮ 28/57

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium

Leakage-Resilient (Symmetric) Cryptography Franois-Xavier Standaert UCL Crypto Group, Belgium Summer school on real-world crypto, 2016 Outline Starting point (link with previous lecture) Seed results (TCC 2004, FOCS 2008)

1.14k views • 111 slides
CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
Quantum Attacks on Symmetric Cryptography Gregor Leander (joint work with Alex May) MMC 2017

Quantum Attacks on Symmetric Cryptography Gregor Leander (joint work with Alex May) MMC 2017

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Quantum Attacks on Symmetric Cryptography Gregor Leander (joint work with Alex May) MMC 2017 Introduction Quantum Basics Grover Grover

1.45k views • 97 slides
Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Crypto intro Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example Encryption: modes of operation Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information

856 views • 73 slides
Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1 Sbastien Duval 2 Gatan Leurent 1 Mara Naya-Plasencia 1 Lo Perrin 1 Thomas Pornin 3 Andr Schrottenloher 1 1 Inria, France 2 UCL Crypto Group,

750 views • 26 slides
New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr Schrottenloher 2 Joint work with Andr Chailloux 2 and Lorenzo Grassi

1.63k views • 65 slides
1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J. Bernstein message m 1 session key k client authenticated k ciphertext C 1 servers ciphertext C 0 public key S Internet Symmetric Internet

2.03k views • 175 slides
Fast symmetric crypto on embedded CPUs Peter Schwabe Radboud University Nijmegen, The Netherlands

Fast symmetric crypto on embedded CPUs Peter Schwabe Radboud University Nijmegen, The Netherlands

Fast symmetric crypto on embedded CPUs Peter Schwabe Radboud University Nijmegen, The Netherlands June 5, 2014 Summer School on the design and security of cryptographic algorithms and devices for real-world applications Embedded CPUs 4-bit

929 views • 70 slides
Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for 2020 Tim Gneysu Hardware Security Group Horst Grtz Institute for IT-Security, Bochum 1/24/2013 Outline Introduction Alternative Public-Key

735 views • 55 slides
Quantum Cryptography Quantum Cryptography Quantum Quantum Crypto ?? Crypto ?? or or How

Quantum Cryptography Quantum Cryptography Quantum Quantum Crypto ?? Crypto ?? or or How

Quantum Cryptography Quantum Cryptography Quantum Quantum Crypto ?? Crypto ?? or or How Alice Outwits Eve How Alice Outwits Eve Cani Cani Samuel J. Lomonaco, Jr. Samuel J. Lomonaco, Jr. Dept. of Comp. Sci Dept. of Comp. Sci. &

445 views • 16 slides
Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The Netherlands Spring 2015 Crypto today Ephemeral ECDH on 256 -bit curve to compute shared key Use EdDSA signatures for public-key

1.43k views • 109 slides
1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client

1 Symmetric crypto, part 2 D. J. Bernstein session key k client servers ciphertext C 0 public key S Internet Public-key crypto ciphertext C 0 servers same k secret key s server

916 views • 80 slides
Post Quantum Crypto B e r n d F i x < b r f @ h o i - p o l l o i . o

Post Quantum Crypto B e r n d F i x < b r f @ h o i - p o l l o i . o

1 / 2 9 Post Quantum Crypto B e r n d F i x < b r f @ h o i - p o l l o i . o r g > Post-Quantum Crypto Bernd Fix < b r f @ h o i - p o l l o i . o r g > 2 / 2 9 Intro P r

340 views • 29 slides
Voltage-dependent coherent drift modes and turbulent transition regimes in small magnetron

Voltage-dependent coherent drift modes and turbulent transition regimes in small magnetron

Voltage-dependent coherent drift modes and turbulent transition regimes in small magnetron devices M. Cappelli T. Ito, N. Gascon, and A. Marcovati, C. Young Stanford University Magnetron Details Very small (~ 5 mm diameter discharge, 2 mm

816 views • 40 slides
Endpoint behavior of modulation invariant singular integrals Francesco Di Plinio INdAM-Cofund

Endpoint behavior of modulation invariant singular integrals Francesco Di Plinio INdAM-Cofund

Endpoint behavior of modulation invariant singular integrals Francesco Di Plinio INdAM-Cofund Marie Curie Fellow at Universit` a degli Studi Roma Tor Vergata Institute of Scientific Computing and Applied Mathematics at Indiana University,

1.06k views • 73 slides
Preconditioning of conjugate-gradients in observation space for 4D-VAR S. Gratton 12 S. Gurol 2

Preconditioning of conjugate-gradients in observation space for 4D-VAR S. Gratton 12 S. Gurol 2

Preconditioning of conjugate-gradients in observation space for 4D-VAR S. Gratton 12 S. Gurol 2 Ph.L. Toint 3 J. Tshimanga 1 1 ENSEEIHT, Toulouse, France 2 CERFACS, Toulouse, France 3 FUNDP, Namur, Belgium Large scale problems and Applications in

987 views • 47 slides
Superscalar Design: Instruction Flow Techniques Virendra Singh Associate Professor C omputer A

Superscalar Design: Instruction Flow Techniques Virendra Singh Associate Professor C omputer A

Superscalar Design: Instruction Flow Techniques Virendra Singh Associate Professor C omputer A rchitecture and D ependable S ystems L ab Department of Electrical Engineering Indian Institute of Technology Bombay

311 views • 17 slides
Recent Results in Sparse Domination Michael Lacey Georgia Tech May 31, 2018 Section 0.0 Slide

Recent Results in Sparse Domination Michael Lacey Georgia Tech May 31, 2018 Section 0.0 Slide

Recent Results in Sparse Domination Michael Lacey Georgia Tech May 31, 2018 Section 0.0 Slide 1 A Sparse Operator root A collection of cubes S is sparse if for each S S , there is a an 1 E S S , so that | E S | > 100 | S | and { E

940 views • 26 slides
The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this

The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this

The Computational Supersingular Isogeny Problem Alfred Menezes NutMiC 2019 1 Goals of this talk 1. Highlight some of the complications with assessing the cost of known attacks on computational problems. 2. Highlight some of the

640 views • 35 slides
Adjoint Estimation of the Forecast Impact of Observation Error Correlations Derived from A

Adjoint Estimation of the Forecast Impact of Observation Error Correlations Derived from A

Adjoint Estimation of the Forecast Impact of Observation Error Correlations Derived from A Posteriori Covariance Diagnosis DACIAN N. DAESCU Portland State University, Portland, OR ROLF H. LANGLAND NRL Marine Meteorology Division, Monterey, CA 6

586 views • 16 slides
Pipeline Front-End Instruction Fetch & Branch Prediction Nima Honarmand Spring 2016 :: CSE

Pipeline Front-End Instruction Fetch & Branch Prediction Nima Honarmand Spring 2016 :: CSE

Spring 2016 :: CSE 502 Computer Architecture Pipeline Front-End Instruction Fetch & Branch Prediction Nima Honarmand Spring 2016 :: CSE 502 Computer Architecture Big Picture Spring 2016 :: CSE 502 Computer Architecture Fetch

1.06k views • 63 slides

More recommend